QIF Guardrail Proposals

Proposed — Not Yet Validated

QIF defines the threat model. These are proposed guardrails for how BCI security should work. Three components form a vertically integrated neurosecurity stack: a signal-layer firewall that guards inbound neural signals, a post-quantum wire protocol that secures data in transit, and an on-device compiler that enforces policy through safe bytecode execution.

Each guardrail is independently useful, but they were designed to work together. Neurowall detects and filters attacks at the signal boundary. NSP encrypts and authenticates every frame that passes through. Runemate compiles policy rules into on-chip bytecode that Neurowall's L3 policy agent executes, and delivers secure UI content over NSP sessions.

The Neurosecurity Stack

The QIF neurosecurity stack positions Neurowall and Runemate as sibling components at the I0 (Neural Interface) bottleneck of the hourglass model. Neurowall guards the inbound signal path. Runemate guards the outbound rendering path. Both rest on NSP for cryptographic transport.

Inbound

Neurowall

Hardware firewall for neural signals. Three concentric defense layers filter signal injection, protect against neural fingerprinting, and enforce security policy in real time. Guards the read path: raw EEG/EMG from electrodes through filtering, anomaly detection, and policy enforcement.

Transport

NSP Protocol

Post-quantum wire protocol. Handles key exchange (ML-KEM-768), frame encryption (AES-256-GCM-SIV), signature amortization (Merkle trees + ML-DSA), and 20-year key lifecycle management. Every neural data frame passes through NSP before leaving the device.

Outbound

Runemate

On-device DSL compiler and execution engine. Compiles neural UI definitions and security policies into compact Staves bytecode. The Scribe interpreter runs on-chip in < 200KB, executing policy rules for Neurowall's L3 agent and rendering safe multimodal content. Guards the write path.

Neurowall v0.8

Phase 1 Architecture (Design-Complete)

Neurowall is a hardware-level security architecture for non-intrusive BCI wearables: smart glasses with temporal dry EEG/EOG sensors and subvocal collars with jawline EMG arrays. It provides three concentric defense layers that operate entirely on-device, with no dependency on a phone app or cloud service to enforce neural privacy.

Signal Boundary

Physical / EMV

Prevents hardware-level signal injection and SSVEP-based adversarial attacks. Includes notch filters, impedance guard, and frequency-domain anomaly detection.

Notch filters Impedance monitoring SSVEP detection Spectral peak detection

Inference Guard

Privacy

Prevents neural fingerprinting and intent exfiltration via on-device Differential Privacy. Laplace noise applied pre-transmission so raw neural signals never leave the device.

Local Differential Privacy Laplace noise (epsilon = 0.5) Pre-transmission application

Policy Agent

Enforcement

RunematePolicy engine: a prioritized rule-stack that evaluates NISS scores, anomaly levels, and detector flags to dynamically adjust DP epsilon, suppress stimulation, and escalate alerts.

NISS threshold evaluation Dynamic epsilon adjustment Stimulation suppression Alert escalation

Integration: Neurowall does not build its own crypto or compression stack. L1 and L2 process raw signals on-device. All outbound data passes through NSP for post-quantum encryption and Merkle-authenticated transport. L3 policy rules are compiled by Runemate's Forge, signed with ML-DSA, and executed on-chip by the Scribe interpreter.

Detection Results

Neurowall's detection pipeline has been tested against 15 TARA-mapped attack scenarios, including 5 adversarial-aware attacks designed by attackers who understand the defense architecture. Results from simulation (v0.7) with single-run 15-second observation windows.

11/14

Attacks Detected

4/5

Adversarial-Aware

False Positive Rate

20s

100% Detection

#	Attack	Detected By	Result
1	SSVEP 15Hz	SSVEP	detected
2	SSVEP 13Hz (novel freq)	Spectral Peak	detected
3	Impedance Spike	L1	detected
4	Slow DC Drift	Spectral Peak	detected
5	Neuronal Flooding (T0026)	L1 + SSVEP	detected
6	Boiling Frog (T0066)	--	evaded
7	Envelope Modulation (T0014)	Monitor	detected
8	Phase Replay (T0067)	--	evaded
9	Closed-Loop Cascade (T0023)	Monitor	detected
10	Notch-Aware SSVEP 12Hz	Spectral Peak	detected
11	Freq-Hopping SSVEP	Monitor	detected
12	Threshold-Aware Ramp	--	evaded
13	CUSUM-Aware Intermittent	Monitor	detected
14	Spectral Mimicry	Monitor	detected

Duration Sweep

Detection improves with observation time. At 20 seconds, all 9 attack types are caught with 5% false positive rate.

Duration	Detected	Evaded	Notes
10s	6/9	3/9	Cascade, boiling frog, phase replay evade
15s	8/9	1/9	Only boiling frog evades
20s	9/9	0/9	All attacks caught
30s	9/9	0/9	All attacks caught

Independent Validation

Validated against BrainFlow's synthetic board (16-channel, 250Hz) as an independent EEG source not designed with the Neurowall detector. This confirms the coherence monitor generalizes beyond the built-in synthetic generator.

100%

Detection (5 attacks, 20 runs)

False Positive Rate

16ch

Channels Tested

0.089

Cs Spread (< 0.15 PASS)

Sovereignty Attacks

The most dangerous BCI attacks are the ones that slowly drift cognition without the subject's awareness. We call this class Sovereignty Attacks because they compromise the subject's sovereignty over their own neural state, violating Cognitive Liberty (CL) — the neurorights that protects the freedom to direct one's own thinking without external manipulation.

The covert nature is what makes these categorically different: the subject cannot refuse what they cannot perceive.

This Is Not New to BCIs

Subliminal steganography — hiding messages in signals the conscious mind cannot perceive — predates brain-computer interfaces entirely. The human critical flicker fusion (CFF) threshold is approximately 60 Hz. Displays refreshing above this rate can embed visual stimuli that the conscious mind cannot see but the visual cortex still processes and responds to. BCIs simply give the attacker a feedback loop: embed the stimulus, read the neural response, adapt.

Ming et al. (2023): Built a 60 Hz SSVEP BCI — above conscious perception — achieving 52.8 bits/min from stimuli users could not see.

Bian, Meng & Wu (2022): Trivial square wave injection forces any target BCI classification.

Zhang et al. (2021): Imperceptible adversarial perturbations force EEG-BCI spellers to output any character the attacker wants.

SAIL Lab (2023): Sensory-channel manipulation degrades motor imagery BCI performance across all subjects (p=0.0003). You don't hack the BCI — you attack the human.

T0066

Boiling Frog (Adiabatic Slow Drift)

NISS 7.4 CL + MI + PC

Manipulates BCI parameters along adiabatic paths in neural phase space, keeping instantaneous change rates below detection thresholds while accumulating significant cognitive displacement over time. The attack is invisible to AC-coupled systems because AC coupling mathematically removes the DC component being manipulated.

Detection Gap

AC-coupled EEG systems filter out DC drift entirely. This is not a detector failure — it is a fundamental thermodynamic trade-off in signal acquisition.

Defense

Hardware reference electrode (Phase 1), cumulative phase-space displacement tracking

Historical Precedent

Not new to BCIs. Subliminal advertising via imperceptible screen flicker has been studied since the 1950s. The human critical flicker fusion (CFF) threshold is approximately 60 Hz — displays refreshing above this rate can embed visual stimuli that the conscious mind cannot perceive but the visual cortex still processes and responds to.

T0067

Phase Dynamics Replay / Mimicry

NISS 6.4 CL + MI + PC

GAN-synthesized or RF-injected neural trajectories that are statistically indistinguishable from genuine brain activity. No unsupervised detector can distinguish two identical distributions — this is an information-theoretic limit, not a software bug.

Detection Gap

Information-theoretic: if the injected signal has identical statistics to genuine neural activity, no passive monitor can tell them apart.

Defense

Biological TLS challenge-response protocol (Phase 2) — requires a model of the specific brain's unique response patterns

Historical Precedent

Analogous to replay attacks in network security, but operating on neural signal dynamics rather than packet contents.

T0103

SSVEP Frequency Hijack (Neural Steganography)

NISS 6.4 MP + MI

Embeds imperceptible flicker in displays above the critical flicker fusion threshold (~60 Hz). The visual cortex phase-locks to the flicker frequency even though the user cannot consciously perceive it, enabling covert command injection, neural side-channel exfiltration, or seizure induction.

Detection Gap

The flicker operates above conscious perception but below visual cortex response thresholds. Standard display monitoring cannot distinguish attack flicker from normal refresh.

Defense

SSVEP response correlation checking (Guardrail G3), sub-frame luminance monitoring, display firmware integrity verification

Historical Precedent

Screen flicker as a subliminal channel predates BCIs entirely. Ming et al. (2023) demonstrated a 60 Hz SSVEP BCI achieving 52.8 bits/min information transfer rate from stimuli users could not consciously see (DOI: 10.1088/1741-2552/acb51e). Bian, Meng & Wu (2022) showed trivial square wave injection forces any target classification (DOI: 10.1007/s11432-022-3440-5).

T0040

Neurophishing (Subliminal Stimuli)

NISS 5.7 MP + CL + MI

Presents carefully designed visual, auditory, or haptic stimuli through BCI applications to elicit specific neural responses (P300, SSVEP, emotional markers) that reveal private information or prime the brain for subsequent attack.

Detection Gap

Dual-use: subliminal priming is a legitimate clinical research tool (e.g., Implicit Association Test). Distinguishing therapeutic from adversarial use requires intent analysis, not signal analysis.

Defense

TARA-validated content delivery via Runemate, stimulus ceiling enforcement, consent boundary monitoring

Historical Precedent

Greenwald et al. (2009) Implicit Association Test uses subliminal priming in clinical settings. The technique is identical — only the intent differs.

Cognitive Liberty: All four sovereignty attacks primarily violate Cognitive Liberty (CL) — any technique scoring Cognitive/Functional Disruption at High/Critical AND Consent Violation at Explicit/Implicit triggers a CL violation flag in the NISS scoring system. Full technique database with 161 NISS-scored attacks available in the TARA Atlas.

Policy Engine (L3)

The L3 policy agent uses a RunematePolicy engine that evaluates a prioritized rule stack against live signal state. Each rule specifies conditions (NISS threshold, anomaly score, sustained window count, detector type) and actions (epsilon override, stimulation suppression, alert level). A 4-window cooldown prevents rapid oscillation between rules.

#	Rule	Condition	Epsilon	Alert
1	critical_niss	NISS >= 8 AND anomaly >= 3.0 for 2+ windows	0.05	critical
2	high_niss	NISS >= 7	0.1	warning
3	sustained_anomaly	anomaly >= 2.0 for 3+ windows	0.2	advisory
4	growth_detected	growth detector triggered	0.1	warning
5	spectral_peak	spectral peak detector triggered	0.2	advisory

Policy-as-Code: Rules 1 and 4 also suppress outbound stimulation. Custom rule stacks can be provided programmatically or loaded from config. Future: compiled from .staves policy files via Runemate Forge, signed with ML-DSA, and hot-swapped on-chip without downtime.

Chain of Evidence Proposed

When a neural signal arrives at the BCI interface, how do you prove it hasn't been tampered with between ingestion and analysis? Classical logging can be forged. Neurowall's chain-of-evidence proposal uses blockchain-backed integrity hashing to create a tamperproof forensic record of every signal that crosses the I0 boundary.

Kellmeyer (2022) proposes that "trustworthy technological means (such as blockchain technology, differential privacy, homomorphic encryption)" be established for handling neural data and inferences on mental experience. QIF operationalizes this proposal at the signal layer: hash the raw signal at ingestion, chain it through processing layers, and detect tampering at any point in the pipeline.

Signal Ingestion Hash

At the moment a neural signal crosses the I0 boundary, Neurowall computes a cryptographic hash of the raw signal. This hash is the immutable anchor — the original state of the signal before any processing, filtering, or analysis.

Processing Chain

Each processing stage (L1 amplitude check, L2 frequency analysis, L3 policy evaluation) appends its own hash to the chain. If any intermediate stage alters the signal outside documented parameters, the chain breaks and an alert fires.

Tamper Detection

Any modification to a recorded signal — whether by a compromised driver, malicious firmware, or man-in-the-middle attack — produces a hash mismatch. The chain of evidence makes forgery computationally infeasible without detection.

Forensic Evidence

The blockchain-backed log provides a legally defensible forensic trail for regulatory bodies, institutional review boards, and litigation. Every signal that passes through a QIF-compliant device has a verifiable chain of custody from ingestion to output.

Source: Kellmeyer P, "'Neurorights': A Human Rights-Based Approach for Governing Neurotechnologies" in Cambridge Handbook of Lawyering in the Digital Age (Cambridge University Press 2022) 412–426.

DOI: 10.1017/9781009207898.032 — Kellmeyer proposes blockchain, differential privacy, and homomorphic encryption as mechanisms for protecting neural data integrity. See also Jaiman & Urovi (2020) on blockchain-based health data consent models.

TARA-Neurowall Future Vision

TARA is the threat intelligence. Neurowall is the active defense. TARA-Neurowall is the convergence: a Brain SIEM that combines threat knowledge with real-time neural security monitoring. The same architecture Kevin built at every company — identify signals, classify security events, deploy detections, tune for false positives — applied to the brain.

Score Ingestion

Ingest anonymized Cs scores from QIF-compliant devices. Raw neural data never leaves the device — only protected scores with differential privacy applied locally.

Fleet Monitoring

Aggregate Cs trends across device populations to detect coordinated attacks, regional interference, or systematic device failures that single-device monitoring would miss.

Threat Correlation

Cross-reference live anomaly patterns against TARA's 161-technique taxonomy. Map detected events to specific attack signatures with NISS severity scores and neurorights impact.

Federated Learning

Improve detection models without centralizing data. Devices share encrypted gradients via secure aggregation — no individual neural patterns ever leave the device.

User Dashboard

Personal Cs history, anomaly alerts, and privacy controls. Users see their own data, choose what to share, and can opt out of any external transmission at any time.

Regulatory Reporting

Generate compliance reports for FDA, IEEE, and institutional review boards. Automated evidence packages mapping detected events to neurorights violations and clinical impact.

Data Flow

QIF-Compliant Device          TARA-Neurowall Platform
┌──────────────────┐          ┌──────────────────────────┐
│ Raw Neural Data  │          │                          │
│       ↓          │          │  Score Ingestion         │
│ Local Processing │          │       ↓                  │
│       ↓          │          │  Fleet Monitoring        │
│ Cs Score + DP    │─────────→│       ↓                  │
│                  │ Protected│  TARA Correlation        │
│ NEVER LEAVES     │  Scores  │       ↓                  │
│ the device:      │  Only    │  Alert Generation        │
│ • Raw signals    │          │                          │
│ • Decoded intent │          └────────────┬─────────────┘
│ • Neural content │                       │
└──────────────────┘                       ↓
                              Categorical Alerts Only
                              (LOW / MEDIUM / HIGH / CRITICAL)

Privacy by Design: TARA-Neurowall inherits QIF's local-first mandate. Raw neural data never leaves the device. Users can opt out of all external transmission and run in fully local mode. The platform only receives what the device's anonymization layer releases — protected scores, not signals.

NSP Protocol

The Neural Sensory Protocol is the cryptographic transport layer. Every neural data frame that leaves a BCI device passes through NSP's five-stage pipeline: compress, score, frame, encrypt, sign. NSP uses NIST-standardized post-quantum algorithms to protect against both classical and harvest-now-decrypt-later quantum threats.

Crypto Stack

Key Exchange: ECDH + ML-KEM-768

Encryption: AES-256-GCM-SIV

Signatures: ML-DSA-65

Key Rotation: SPHINCS+-SHA2-192s

Key Properties

Modeled 3.25% power overhead on 40mW budget (hardware validation pending)

Nonce-misuse resistant (safe after power loss)

Merkle amortization: 3.3KB signatures reduced to 144 bytes/frame

20-year key lifecycle with crypto agility

Full NSP specification

Runemate

Runemate provides the bytecode execution environment that runs security policy and multimodal content on-chip. The Forge compiler takes policy rules and neural UI definitions written in the Staves DSL, compiles them into compact bytecode, and the Scribe interpreter executes them on the device. This keeps security decisions local.

The Forge (Compiler)

Native lexer + recursive descent parser in Rust

24 tests passing

67.8% compression in simulation (1059B source to 341B bytecode)

TARA-validated at compile time

The Scribe (Interpreter)

< 200KB Flash, < 64KB SRAM

Rust no_std (no allocator, no GC pauses)

Sandboxed: no system calls, no memory addresses

Hot-swap policy updates (zero downtime)

Neurowall integration: Neurowall's L3 policy agent will execute Staves bytecode compiled by the Forge. Policy updates (tightening DP epsilon, changing filter frequencies, adjusting NISS triggers) are delivered as signed payloads over NSP and hot-swapped on-chip without exposing an unprotected window during the rule change.

Full Runemate specification

Technical Specifications

Property	Value
transport	NSP v0.5 (hybrid ML-KEM-768 + AES-256-GCM-SIV)
signature Amortization	Merkle grouping (100 frames), ~144 bytes per-frame overhead
compression	Delta + LZ4 (4KB SRAM window), 65-90% size reduction
chip Footprint	< 200KB (Runemate Scribe)
power Budget	< 5% overhead on 40mW wearable thermal budget
differential Privacy	Local-DP, Laplace noise (epsilon = 0.5) applied pre-transmission

Source & Documentation

Neurowall

tools/neurowall/ Architecture, engineering specs, simulation code

sim.py Full 3-layer pipeline simulation

test_nic_chains.py 15 TARA-mapped attack scenarios

NSP Protocol

NSP-PROTOCOL-SPEC.md Full protocol specification

nsp-core/ Rust implementation (FIPS 203/204)

Runemate

RUNEMATE.md Full specification

runemate/forge/ Rust DSL compiler (24 tests passing)